"Linux Basics" 23, SELinux Basics

I. Overview of SELinux

1. SELinux Introduction

Seliunx: Secure Enhanced Linux security-enhanced Linux

is a security module for mandatory access control of Linux developed by NSA "nsa=the National security agency" and SCC (Secure Computing Corporation). Released in 2000 under the GNU GPL, the Linux kernel was integrated into the kernel after the 2.6 release.

DAC: Autonomous access control

determines whether or not access is based on the rwx permissions of the owner of the process and the file resource

process in DAC environment is non-binding

Poor control capability and low security

MAC: Mandatory access control

to read a specific file by making a specific program from a policy rule

The process can be limited in MAC environment

The rules of policy in MAC environment determine the degree of rigor of control

Policies are used to define which resources (files and ports) the restricted process can use

By default, behavior that is not explicitly allowed is denied

Security context: Process--resource

Sandbox: Sandbox

After 1 processes are started, the resources that a process can access are no longer global but limited

2. SELinux operation mode

SELinux manages the process in a Mac way, and it controls the subject as a process, while the target is the "file resource" that the process can read.

All operations on the system can be categorized as: a subject to manipulate the object

One resource for a process operation is: principal-predicate-guest

Main body: subject, Subject

SELinux mainly manages the process, so it's possible to use the subject as a process

Target: object, Object

The target resource that the principal process can access is usually the file system. All objects that can be read, including files, directories and processes, ports, etc.

3. Strategy Policy

because of the large number of processes and files, SELinux will develop basic security access policies based on certain services. These policies will also have more detailed rules to specify whether different services open access to certain resources.

The current strategy (SELinux work type) has four types:

[[email protected] ~]# cat /etc/selinux/config  # this file controls the state of selinux on the system.#  SELINUX= can take one of these three values:#      enforcing - SELinux security policy is enforced.#      permissive - SELinux prints warnings instead of enforcing.#      disabled - no selinux policy is loaded. selinux=disabled# selinuxtype= can take one of these two values:#      targeted - Targeted processes are protected,#      mls - multi level security protection. Selinuxtype=targeted 

Strict: Each process is under the control of SELinux #centos5默认使用的策略?

targeted: used to protect common network services, only limited processes are controlled by selinux, only vulnerable processes are monitored, RHEL4 only 13 services are protected, and RHEL5 protects 88 services #centos6默认使用的策略

Minimum: modified targeted, only for selected network services #centos7默认使用的策略

MLS: provides security for MLS (multilevel security) mechanisms

Note: Minimum and MLS are not stable enough to be applied

In SELinux, all files are given a type tag for each file, and a domain label for all processes. The actions that domain tags can perform are defined by the security policy.

When a subject tries to access a object,kernel in the policy execution server will check the AVC (Access vector cache), in AVC, the permissions of subject and object are cached (cached), look for "app + File "Security environment. Then allow or deny access based on the results of the query

Selinxu Rule Library:

Rule: Which domain can access that type of file or those kinds of files

4. SELinux Security Context

Traditional Linux, all files, accessed by user, group, permission control

in SELinux, all objects are controlled by the security elements stored in the extended domain of the inode.

all files, port resources, and processes have a security label that's SELinux. Security Context

The security context consists of five elements:

After SELinux is started, 5 attributes are introduced for each resource: User, role, type #对于centos只有3种属性有效

User:role:type:sensitivity:category

User_u:object_r:tmp_t:s0:c0

[[Email protected] html]# ls -z-rw-r--r--.  root root system_u:object_r: httpd_sys_content_t:s0 index.html[[email protected] html]# ps auxz|grep  httpdunconfined_u:system_r:httpd_t:s0 root     2904  0.3   0.2 177812  3892 ?        ss    07:39   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache    2932  0.0  0.1 177812  2524 ?         s    07:39   0:00 /usr/sbin/httpdunconfined_u:system_r: httpd_t:s0 apache   2933  0.0  0.1 177812  2500 ?         s    07:39   0:00 /usr /sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   2934  0.0  0.1 177812  2500 ?         s    07:39   0:00 /usr /sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   2935  0.0  0.1  177812  2500 ?        S     07:39   0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache    2937  0.0  0.1 177812  2500 ?         s    07:39   0:00 /usr/sbin/httpdunconfined_u:system_r: httpd_t:s0 apache   2940  0.0  0.1 177812  2500 ?         s    07:39   0:00 /usr /sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   2942  0.0  0.1 177812  2500  ?        s    07:39   0:00  /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache   2943  0.0   0.1 177812  2500 ?        S     07:39   0:00 /USR/SBIN/HTTPDUNCONFINED_U:UNCONFINED_R:UNCONFINED_T:S0-S0: c0.c1023 root 2946 1.0  0.0 103256 880 pts/1 s+ 07:39    0:00 grep httpd

In fact, the following: stored in the file system, you can use the Ls–z and Ps–z commands to view

expected (default) context: stored in the binary SELinux Policy library (mapping directory and expected security context)

View command: Semanage fcontext–l

4. Five safety factors for SELinux

SELinux provides a security label for each file, as well as a security label for the process;

User : indicates the types of users logged on to the system, such as Root,user_u,system_u, where most local processes are part of the free (unconfined) process

Role: Defining the purpose of a file, process, and user

Files: Object_r, process and User: System_r

TYP: Specifies the data type, which process type is defined in the rule to access which file, and the target policy is based on type implementation

Multi-Service shared: public_content_t

Sensitivity: the need to restrict access, hierarchical security levels defined by an organization, such as unclassified, Secret,top,secret, an object with only one sensitivity, 0-15 levels, S0 minimum, Target policy uses S0 by default

Category : for a particular organization to classify non-hierarchical categories, such as the FBI Secret,nsa Secret, an object can have multiple Categroy, c0-c1023 a total of 1024 categories, Target policy does not use Cateaory

Second, set SELinux

Chcon Restorecon

Change label

Chcon

-T type: modified to the specified type

-R recursion

--reference=rfile: taking Rftie as reference

-U user

-R Role

Restorecon

-R change back to original attribute

Modifying the properties of a file that is under SELinux control

Setsebool

-P Perpetual effect

Open Anonymous user uploads

Allow_ftpd_anon_write on

Allow_ftpd_full_access on

Getsebool

-A

Rsylog:

LOG: History log

Level:

Syslog syslogd KLOGD

Facility: A facility that classifies logs from a feature or program, and copies records of its logs by a specialized tool

CENTOS6 Rsyslog

ModLoad imudp Loading UDP protocol

-: Indicates an asynchronous write

Log collection and analysis tools:

Logstash

Analytics Tools Hadoop

Homework:

Analyze logs generated by Rsylog

Count logs into MySQL database

Using Loganalyzer Analysis

Analyze httpd Logs

Webanalyzer

Awstats

"Linux Basics" 23, SELinux Basics